Security updates have been issued by Arch Linux (bind, libofx, and thunderbird), Debian (thunderbird, xdg-utils, and xen), Fedora (procps-ng), Mageia (gnupg2, mbedtls, pdns, and pdns-recursor), openSUSE (bash, GraphicsMagick, icu, and kernel), Oracle (thunderbird), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, and thunderbird), Scientific Linux (thunderbird), and Ubuntu (curl).
Security updates have been issued by Debian (imagemagick), Fedora (curl, glibc, kernel, and thunderbird-enigmail), openSUSE (enigmail, knot, and python), Oracle (procps-ng), Red Hat (librelp, procps-ng, redhat-virtualization-host, rhev-hypervisor7, and unboundid-ldapsdk), Scientific Linux (procps-ng), SUSE (bash, ceph, icu, kvm, and qemu), and Ubuntu (procps and spice, spice-protocol).
Security updates have been issued by CentOS (java-1.7.0-openjdk, java-1.8.0-openjdk, kernel, libvirt, and qemu-kvm), Debian (procps), Fedora (curl, mariadb, and procps-ng), Gentoo (samba, shadow, and virtualbox), openSUSE (opencv, openjpeg2, pdns, qemu, and wget), Oracle (java-1.8.0-openjdk and kernel), Red Hat (java-1.7.0-openjdk, java-1.8.0-openjdk, kernel, kernel-rt, libvirt, qemu-kvm, qemu-kvm-rhev, redhat-virtualization-host, and vdsm), Scientific Linux (java-1.7.0-openjdk, java-1.8.0-openjdk, kernel, libvirt, and qemu-kvm), Slackware (kernel, mozilla, and procps), SUSE (ghostscript-library, kernel, mariadb, python, qemu, and wget), and Ubuntu (linux-raspi2 and linux-raspi2, linux-snapdragon).
Security updates have been issued by Debian (gitlab and packagekit), Fedora (glibc, postgresql, and webkitgtk4), Oracle (java-1.7.0-openjdk, java-1.8.0-openjdk, kernel, libvirt, and qemu-kvm), Red Hat (java-1.7.0-openjdk, kernel-rt, qemu-kvm, and qemu-kvm-rhev), SUSE (openjpeg2, qemu, and squid3), and Ubuntu (kernel, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oem, linux, linux-aws, linux-kvm,, linux-hwe, linux-azure, linux-gcp, linux-oem, linux-lts-trusty, linux-lts-xenial, linux-aws, qemu, and xdg-utils).
Security updates have been issued by Arch Linux (lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, and libcurl-gnutls), CentOS (firefox), Debian (imagemagick), Fedora (exiv2, LibRaw, and love), Gentoo (chromium), Mageia (kernel, librelp, and miniupnpc), openSUSE (curl, enigmail, ghostscript, libvorbis, lilypond, and thunderbird), Red Hat (Red Hat OpenStack Platform director), and Ubuntu (firefox).
Security updates have been issued by Arch Linux (runc), Debian (curl), Fedora (xdg-utils), Mageia (firefox), openSUSE (libreoffice, librsvg, and php5), Slackware (curl and php), SUSE (curl, firefox, kernel, kvm, libapr1, libvorbis, and memcached), and Ubuntu (curl, dpdk, php5, and qemu).
Security updates have been issued by CentOS (dhcp), Debian (xen), Fedora (dhcp, flac, kubernetes, leptonica, libgxps, LibRaw, matrix-synapse, mingw-LibRaw, mysql-mmm, patch, seamonkey, webkitgtk4, and xen), Mageia (389-ds-base, exempi, golang, graphite2, libpam4j, libraw, libsndfile, libtiff, perl, quassel, spring-ldap, util-linux, and wget), Oracle (dhcp and kernel), Red Hat (389-ds-base, chromium-browser, dhcp, docker-latest, firefox, kernel-alt, libvirt, qemu-kvm, redhat-vertualization-host, rh-haproxy18-haproxy, and rhvm-appliance), Scientific Linux (389-ds-base, dhcp, firefox, libvirt, and qemu-kvm), and Ubuntu (poppler).
Post Syndicated from Chris Munns original https://aws.amazon.com/blogs/compute/extending-amazon-linux-2-with-epel-and-lets-encrypt/
This post courtesy of Jeff Levine Solutions Architect for Amazon Web Services
Amazon Linux 2 is the next generation of Amazon Linux, a Linux server operating system from Amazon Web Services (AWS). Amazon Linux 2 offers a high-performance Linux environment suitable for organizations of all sizes. It supports applications ranging from small websites to enterprise-class, mission-critical platforms.
Amazon Linux 2 includes support for the LAMP (Linux/Apache/MariaDB/PHP) stack, one of the most popular platforms for deploying websites. To secure the transmission of data-in-transit to such websites and prevent eavesdropping, organizations commonly leverage Secure Sockets Layer/Transport Layer Security (SSL/TLS) services which leverage certificates to provide encryption. The LAMP stack provided by Amazon Linux 2 includes a self-signed SSL/TLS certificate. Such certificates may be fine for internal usage but are not acceptable when attestation by a certificate authority is required.
In this post, I discuss how to extend the capabilities of Amazon Linux 2 by installing Let’s Encrypt, a certificate authority provided by the Internet Security Research Group. Let’s Encrypt offers basic SSL/TLS certificates for DNS hosts at no charge that you can use to add encryption-in-transit to a single web server. For commercial or multi-server configurations, you should consider AWS Certificate Manager and Elastic Load Balancing.
Let’s Encrypt also requires the certbot package, which you install from EPEL, the Extra Packaged for Enterprise Linux collection. Although EPEL is not included with Amazon Linux 2, I show how you can install it from the Fedora Project.
At a high level, you perform the following tasks for this walkthrough:
- Provision a VPC, Amazon Linux 2 instance, and LAMP stack.
- Install and enable the EPEL repository.
- Install and configure Let’s Encrypt.
- Validate the installation.
- Clean up.
Prerequisites and costs
- To follow along with this walkthrough, you need the following:
- An AWS account that provides access to Amazon EC2 and Amazon VPC.
- An Amazon EC2 key pair.
- A program such as PuTTY that allows you to connect to the Amazon Linux 2 instance using the SSH protocol.
- Working knowledge of Amazon EC2 and Amazon VPC.
- The ability to configure DNS entries for a host domain.
You may incur charges for the resources you use including, but not limited to, the Amazon EC2 instance and the associated network charges.
Step 1: Provision a VPC, Amazon Linux 2 instance, and LAMP stack
- Create a VPC with a single public subnet, a routing table, and an internet gateway.
- Launch an Amazon Linux 2 instance in the VPC that you just created. Make sure that you do the following:
- Select the Amazon Linux 2 AMI.
- Choose t2.micro for the instance type.
- Accept all other default values including with regard to storage.
- Create a new security group and accept the default rule that allows TCP port 22 (SSH) from everywhere (0.0.0.0/0 in IPv4). For the purposes of this walkthrough, permitting access from all IP addresses is reasonable. In a production environment, you may restrict access to different addresses.
- Allocate and associate an Elastic IP address to the server when it enters the running state.
- Install a LAMP stack.
- Browse to the Elastic IP address that you just created and confirm that you can see the Apache test page, as illustrated below.
Step 2: Install and enable EPEL
- Connect to your Amazon Linux 2 instance at the Elastic IP address that you just created.
- Download and install the EPEL repository using the following commands:
cd /tmp wget -O epel.rpm –nv \ https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm sudo yum install -y ./epel.rpm
Respond “Y” to all requests for approval to install the software.
Step 3: Install and configure Let’s Encrypt
- If you are no longer connected to the Amazon Linux 2 instance, connect to it at the Elastic IP address that you just created.
- Install certbot, the Let’s Encrypt client to be used to obtain an SSL/TLS certificate and install it into Apache.
sudo yum install python2-certbot-apache.noarch
Respond “Y” to all requests for approval to install the software.
If you see a message appear about SELinux, you can safely ignore it. This is a known issue with the latest version of certbot.
- Create a DNS “A record” that maps a host name to the Elastic IP address. For this post, assume that the name of the host is lamp.example.com. If you are hosting your DNS in Amazon Route 53, do this by creating the appropriate record set.
- After the “A record” has propagated, browse to lamp.example.com. The Apache test page should appear. If the page does not appear, use a tool such as nslookup on your workstation to confirm that the DNS record has been properly configured.
- You are now ready to install Let’s Encrypt. Let’s Encrypt does the following:
- Confirms that you have control over the DNS domain being used, by having you create a DNS TXT record using the value that it provides.
- Obtains an SSL/TLS certificate.
- Modifies the Apache-related scripts to use the SSL/TLS certificate and redirects users browsing the site in HTTP mode to HTTPS mode.
- Use the following command to install certbot:
sudo certbot -i apache -a manual \ --preferred-challenges dns -d lamp.example.com
The options have the following meanings:
-i apache Use the Apache installer. -a manual Authenticate domain ownership manually. --preferred-challenges dns Use DNS TXT records for authentication challenge. -d lamp.example.com Specify the domain for the SSL/TLS certificate.
- You are prompted for the following information:
E-mail address for renewals? Enter an email address for certificate renewals.
Accept the terms of services? Respond as appropriate.
Send your e-mail address to the EFF? Respond as appropriate.
Log your current IP address? Respond as appropriate.
- You are prompted to deploy a DNS TXT record with the name “_acme-challenge.lamp.example.com” with the supplied value, as shown below.
- After you enter the record, wait until the TXT record propagates. To look up the TXT record to confirm the deployment, use the nslookup command in a separate command window, as shown below. Remember to use the set ty=txt command before entering the TXT record.
You are prompted to select a virtual host. There is only one, so choose 1. The final prompt asks whether to redirect HTTP traffic to HTTPS. To perform the redirection, choose 2. That completes the configuration of Let’s Encrypt.
- To enable HTTPS (TCP port 443) traffic, add a rule to the security group for your Amazon Linux 2 instance.
Step: 4: Validate the installation
- Browse to the http:// lamp.example.com site. You are redirected to the SSL/TLS page https://lamp.example.com.
- To look at the encryption information, use the appropriate actions within your browser. For example, in Firefox, you can open the padlock and traverse the menus.
In the encryption technical details, you can see from the “Connection Encrypted” line that traffic to the website is now encrypted using TLS 1.2.
Security note: As of the time of publication, this website also supports TLS 1.0. I recommend that you disable this protocol because of some known vulnerabilities associated with it. To do this:
- Edit the file /etc/letsencrypt/options-ssl-apache.conf.
- Look for the line beginning with SSLProtocol and change it to the following:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
- Save the file. After you make changes to this file, Let’s Encrypt no longer automatically updates it. Periodically check your log files for recommended updates to this file.
- Restart the httpd server with the following command:
sudo service httpd restart
Step 5: Cleanup
Use the following steps to avoid incurring any further costs.
- Terminate the Amazon Linux 2 instance that you created.
- Release the Elastic IP address that you allocated.
- Revert any DNS changes that you made, including the A and TXT records.
Amazon Linux 2 is an excellent option for hosting websites through the LAMP stack provided by the Amazon-Linux-Extras feature. You can then enhance the security of the Apache web server by installing EPEL and Let’s Encrypt. Let’s Encrypt provisions an SSL/TLS certificate, optionally installs it for you on the Apache server, and enables data-in-transit encryption.
You can get started with Amazon Linux 2 in just a few clicks.
Security updates have been issued by Arch Linux (firefox, llpp, and webkit2gtk), Debian (kwallet-pam), Fedora (kernel and pam-kwallet), Gentoo (mpv), Oracle (389-ds-base, firefox, libvirt, and qemu-kvm), and Ubuntu (php5 and php5, php7.0, php7.1, php7.2).
Security updates have been issued by Debian (tiff and tiff3), Fedora (glusterfs, kernel, libgxps, LibRaw, postgresql, seamonkey, webkit2gtk3, wget, and xen), Mageia (afflib, flash-player-plugin, imagemagick, qpdf, and transmission), openSUSE (Chromium, opencv, and xen), SUSE (kernel), and Ubuntu (firefox).
Security updates have been issued by Arch Linux (libmupdf, mupdf, mupdf-gl, and mupdf-tools), Debian (firebird2.5, firefox-esr, and wget), Fedora (ckeditor, drupal7, firefox, kubernetes, papi, perl-Dancer2, and quassel), openSUSE (cairo, firefox, ImageMagick, libapr1, nodejs6, php7, and tiff), Red Hat (qemu-kvm-rhev), Slackware (mariadb), SUSE (xen), and Ubuntu (openjdk-8).
Security updates have been issued by Arch Linux (freetype2, libraw, and powerdns), CentOS (389-ds-base and kernel), Debian (php5, prosody, and wavpack), Fedora (ckeditor, fftw, flac, knot-resolver, patch, perl, and perl-Dancer2), Mageia (cups, flac, graphicsmagick, libcdio, libid3tag, and nextcloud), openSUSE (apache2), Oracle (389-ds-base and kernel), Red Hat (389-ds-base and flash-plugin), Scientific Linux (389-ds-base), Slackware (firefox and wget), SUSE (xen), and Ubuntu (wget).
The CoreOS blog is carrying an
article describing the path forward now that CoreOS is owned by Red
Hat. “Since Red Hat’s acquisition of CoreOS was announced, we
received questions on the fate of Container Linux. CoreOS’s first project,
and initially its namesake, pioneered the lightweight, ‘over-the-air’
automatically updated container native operating system that fast rose in
popularity running the world’s containers. With the acquisition, Container
Linux will be reborn as Red Hat CoreOS, a new entry into the Red Hat
ecosystem. Red Hat CoreOS will be based on Fedora and Red Hat Enterprise
Linux sources and is expected to ultimately supersede Atomic Host as Red
Hat’s immutable, container-centric operating system.” Some
information can also be found in this
Red Hat press release.
Security updates have been issued by Debian (libdatetime-timezone-perl, libmad, lucene-solr, tzdata, and wordpress), Fedora (drupal7, scummvm, scummvm-tools, and zsh), Mageia (boost, ghostscript, gsoap, java-1.8.0-openjdk, links, and php), openSUSE (pam_kwallet), and Slackware (python).
There is a new initiative in the Fedora community based on what used to be
called “Fedora Atomic Workstation”. From this
whitepaper [PDF]: “The descriptive name for this product is
image-mode container-based Fedora Workstation based on rpm-ostree, which is
clear but terrible for branding. Therefore, we call it Team Silverblue.
The long-term goal for this effort is to transform Fedora Workstation into
an image-based system where applications are separate from the OS and
updates are atomic.”
Security updates have been issued by Fedora (cups-filters, ghostscript, glusterfs, PackageKit, qpdf, and xen), Mageia (anki, libofx, ming, sox, webkit2, and xdg-user-dirs), Oracle (corosync, java-1.7.0-openjdk, and pcs), Red Hat (java-1.7.0-openjdk), Scientific Linux (corosync, firefox, gcc, glibc, golang, java-1.7.0-openjdk, java-1.8.0-openjdk, kernel, krb5, librelp, libvncserver, libvorbis, ntp, openssh, openssl, PackageKit, patch, pcs, policycoreutils, qemu-kvm, and xdg-user-dirs), Slackware (libwmf and mozilla), and Ubuntu (apache2, ghostscript, mysql-5.7, wavpack, and webkit2gtk).
The Fedora 28 release has been announced.
“The headline feature for Fedora 28 Server is the inclusion of the
new Modular repository. This lets you select between different versions of
software like NodeJS or Django, so you can chose the stack you need for
your software.” Some users will also appreciate that proprietary
blobs (such as the NVIDIA drivers) are now easier to obtain and install.
Security updates have been issued by Arch Linux (drupal), Debian (chromium-browser, gunicorn, libvorbis, openjdk-8, roundcube, sdl-image1.2, slurm-llnl, and tor), Fedora (boost, cups-filters, ghostscript, gsoap, memcached, mod_http2, and qpdf), openSUSE (Chromium and mysql-community-server), and Red Hat (glusterfs, OpenShift Container Platform 3.1, OpenShift Container Platform 3.2, OpenShift Container Platform 3.3, OpenShift Container Platform 3.4, OpenShift Container Platform 3.5, OpenShift Container Platform 3.6, OpenShift Container Platform 3.7, OpenShift Container Platform 3.8, OpenShift Container Platform 3.9, and openvswitch).